<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
 
</head>

<body>
    <div>
        <div id="app">
            <h1 v-text='msg4'>
                
            </h1>
            <h1 v-html='msg4'>

            </h1>
            <!-- v-html就是 XSS攻击的宿主环境  -->
            <div v-html='msg5'>

            </div>
        </div>

    </div>
    <!-- 开发环境版本，包含了有帮助的命令行警告 -->
    <script src="https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js"></script>
    <script>
        // 如果 v-html 是后端兄弟给的 数据 大胆放心用v-html 
        // 但是如果是用户给的数据 用v-html渲染 要非常的慎重！因为用户中或许存在黑客  

        var vm = new Vue({
            // 监管的容器 
            el: '#app',
            // 数据定义
            data: {
                msg: 'helloworld',
                msg2: '你好世界',
                msg3: '<h1>我是标题</h1>',
                msg4: '<img src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">',
                msg5: `
                <div class="aa">
                <img class="abc" src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">
                <img src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">
                <img src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">
                <img src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">
                <img src="https://ftp.bmp.ovh/imgs/2021/03/5bf94c83e1ca17da.jpg" onerror="alert(44444)" alt="">
            </div>
                `
            }
        })

        console.log('vm', vm)



    </script>
</body>

</html>